When Andre inherited the responsibility for the new assets after the merger, he knew the situation would be bad, but he had no clue how bad it would really be. It was clear that the previous custodians of the I.T. system had no standardized process to operate the network, let alone had any knowledge of cyber security. He needed to find a way to make the system manageable and fast or he would be swamped with security issues.
Andre started by creating a SMARTSentinel private cloud for his organization. He then deployed the SMARTSentinel agent on his new assets. For the machines that were connected to the domain, he pushed a GPO to run the agent install script. For the other machines, he ran the script remotely. Once the agent was installed, the machine would immediately download Cyber Defence Corporation’s recommended monitoring settings and would set up the appropriate telemetry. The machines would then start uploading data to the cloud and Andre could start figuring out what was running in his network.
After letting telemetry data flow to his SMARTSentinel private cloud for a little while, the first thing that jumped out at Andre was that there was a bunch of machines from the domain with machine names that did not follow the normalized nomenclature. He wrote their names down and took a note to review his documentation to check if they were properly documented in the network diagram. With asset inventory on his mind, Andre decided to look at the running processes to find which machines hosted services. He had the official list of servers, but he wanted to make sure. Looking in the entity database for the processes associated with IIS, exchange, Apache, Bind and so on, he identified the machine that were running these crucial Internet facing services. This time, the official server list was correct (for the most part), but he did find a few servers running on machines labeled for use in development.
With his inventory updated, Andre decided to look for ways to prioritize his risk reduction work. Digging deeper in the entity database, he starts triaging the programs running on his new assets. He starts by grabbing the hashes corresponding to the processes that were run on a machine in the network. By starting with hashes with low count number (i.e. processes that were run on few computers), Andre figured that he would find any oddities first. The first few hashes were seen on only one machine. Copying the hashes in Virus Total instantly revealed that these were botnet infections. He would have to make sure these machines were cleaned before moving forward.
Going down the list, he also found various types of non-malicious software. The majority of that was various types of unapproved software, like iTunes or BitTorrent, installed on a few machines. Andre made a mental note to revise the policy, but this was not his top priority. A hash only present on one server showed that a critical patch had not been applied properly and was putting the company at risk of remote code execution and three other machines were apparently running a telnet server. Tackling these big risk items would have to be at the top of the list, which was getting longer by the minute.
Actually, with all that information, maybe he could get management to fund another position in his department to address these issues…